Patch Tuesday December 2025 - Critical Microsoft Security Patches Released For Privilege Escalation and Remote Code Vulnerabilities

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

CVE-2025-62221 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Kev Breen, Senior Director, Cyber Threat Research, Immersive

At the top of the list of vulnerabilities to patch is one that is currently being actively exploited in the wild by threat actors. CVE-2025-62221 is a Privilege Escalation Vulnerability affecting the Windows Cloud Files Mini Filter Driver. This isn’t the first time we have seen this component being actively exploited in recent years, with several other CVEs affecting this component. Microsoft has not provided any details on how this exploit is being abused or provided any indicators of compromise, making it harder for defenders to start proactive threat hunting. 

This vulnerability is a local privilege escalation vulnerability, meaning that a malicious actor must already have code execution on the target host. With this vulnerability, an attacker who already has access can then gain SYSTEM-level access to the affected host machine and, from there, perform a number of actions, including disabling any security logging and endpoint detection, dumping more credentials using tools like Mimikatz that could then enable the compromise of domain accounts and lateral movement. 

Privilege Escalation Vulnerabilities are observed in almost every incident involving host compromises, making this a critical vulnerability to patch to limit an attacker's capabilities. 

CVE-2025-62221 is not the only vulnerability that should be high on the list. Microsoft has also declared 6 additional CVEs as “more likely to be exploited,” and they’re all listed as “Elevation of Privilege Vulnerability.”

• CVE-2025-62454 -- Windows Cloud Files Mini Filter Driver
• CVE-2025-62458 -- Win32k
• CVE-2025-62470 -- Windows Common Log File System Driver
• CVE-2025-62472 -- Windows Remote Access Connection Manager
• CVE-2025-59516 -- Windows Storage VSP Driver
• CVE-2025-59517 -- Windows Storage VSP Driver

We don't know why Microsoft has marked these specifically as more likely, but the majority of these components have historically been exploited in the wild or have enough technical detail on previous CVEs that it would be easier for threat actors to weaponize these. Either way, while not actively being exploited, these should be patched sooner rather than later. 

CVE-2025-64671 - 8.4 - GitHub Copilot for JetBrains Remote Code Execution Vulnerability

Kev Breen, Senior Director, Cyber Threat Research, Immersive

This one stands out as an interesting vulnerability. Copilot is the GenAI coding assistant that is used by Microsoft and GitHub. This vulnerability specifically refers to the JetBrains extensions. The vulnerability states that it’s possible to gain code execution on affected hosts by tricking the LLM into running commands that bypass the guardrails and appending instructions in the user's “auto-approve” settings. This can be achieved through “Cross Prompt Injection,” which is where the prompt is modified not by the user but by the LLM agents as they craft their own prompts based on the content of files or data retrieved from a Model Context Protocol (MCP) server that has risen in popularity with agent-based LLMs. 

This vulnerability affects developers in organizations. Although Microsoft has marked this exploitation as less likely, when taking a risk-based approach, developers typically have access to API keys and Secrets that could enable a large attack surface for attackers.  

Any organizations using GitHub Copilot for JetBrains should likely patch this issue promptly before threat actors find a way to exploit it.